Microsoft Warns of Zero Day Bug Affecting Internet Explorer 6-8
Microsoft is currently investigating reports of a zero day bug affecting Internet Explorer 6, Internet Explorer 7, and Internet Explorer 8, the company announced in a Security Advisory. At issue is a remote code execution vulnerability that would allow attackers to seize control of a Windows PC.
How it works is IE attempts to reference and use an object that had previously been freed. The components of an exploit for such a vulnerability are typically:
How it works is IE attempts to reference and use an object that had previously been freed. The components of an exploit for such a vulnerability are typically:
- Javascript to trigger the Internet Explorer vulnerability
- Heap spray or similar memory preparation to ensure the memory being accessed after it has been freed is useful
- A way around the ASLR platform-level mitigation
- A way around the DEP platform-level mitigation
Microsoft suggests disabling certain services while it works on a patch. Alternately, you can use an different browser like Google Chrome
"The IE team is working around the clock to develop a security update to address this vulnerability for earlier versions of the product," Microsoft stated. " However, until the update is available, customers using Internet Explorer 8 can block the current targeted attacks by introducing changes to disrupt any of the elements of the exploit."
Those changes include disabling Javascript, disabling Flash, and disabling the MS-Help protocol handler along with ensuring "Java6" is not allowed to run.
The vulnerability is not present in IE9 or IE10.
